Bugtraq mailing list archives

FreeBSD Security Advisory: FreeBSD-SA-97:03.sysinstall

From: aleph1 () DFW NET (Aleph One)
Date: Mon, 7 Apr 1997 16:05:55 -0500


-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-97:03                                            Security Advisory
                                                            FreeBSD, Inc.

Topic:          sysinstall bug

Category:       core
Module:         sysinstall
Announced:      1997-04-07
Affects:        FreeBSD 2.1, FreeBSD 2.1.5, FreeBSD 2.1.6 and FreeBSD 2.1.7
                FreeBSD 2.2 and FreeBSD 2.2.1.

Corrected:      all versions as of 1997-04-01. This includes the installation                   floppies for FreeBSD 
2.2.1 found on:
                ftp://ftp.FreeBSD.org/pub/FreeBSD/2.2.1-RELEASE/floppies/newer/
                Also the CDROM of FreeBSD 2.2.1 has this problem corrected.
Source:         FreeBSD
FreeBSD only:   yes

Patches:

=============================================================================

I.   Background

     Sysinstall is used both for fresh installations of FreeBSD as
     well as post installation updates, like installing packages
     from CDROM or ftp sites.

II.  Problem Description

     One of the port installation options in sysinstall is to install
     an anonymous ftp setup on the system. In such a setup, an extra
     user needs to be created on the system, with username 'ftp'.
     This user is created with the shell equal to '/bin/date' and an
     empty password.

III. Impact

     Under some circumstances, this will allow unauthorized access
     of system resources.

IV. Solution(s)

     Change the entry of the ftp user such that is has an invalid password
     and an invalid shell. This can be done by becoming the superuser,
     and use the vipw command. Go to the line that starts with ftp::
     and change ftp:: to ftp:*:
     Also change, on the same line, the shell from /bin/date to /nonexistent.

     If you have not yet used sysinstall to create an anonymous ftp setup,
     but are planning to, please apply one of the following patches:

     Patch for FreeBSD 2.1.5, 2.1.6, 2.2 and 2.2.1:

    --- anonFTP.c       1996/04/28 03:26:42     1.14
    +++ anonFTP.c       1997/04/07 17:20:16
    @@ -195,7 +195,7 @@
        return (DITEM_SUCCESS);         /* succeeds if already exists */
         }

    -    sprintf(pwline, "%s::%s:%d::0:0:%s:%s:/bin/date\n", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir);
    +    sprintf(pwline, "%s:*:%s:%d::0:0:%s:%s:/nonexistent\n", FTP_NAME, tconf.uid, gid, tconf.comment, 
tconf.homedir);

         fptr = fopen(_PATH_MASTERPASSWD,"a");
         if (! fptr) {

    Patch for FreeBSD 2.1:

    --- anonFTP.c       1995/11/12 07:27:55     1.6
    +++ anonFTP.c       1997/04/03 19:29:21
    @@ -201,7 +201,7 @@
         return (RET_SUCCESS);  /* succeeds if already exists */
        }

    -   sprintf(pwline, "%s::%s:%d::0:0:%s:%s:/bin/date\n", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir);
    +   sprintf(pwline, "%s:*:%s:%d::0:0:%s:%s:/nonexistent\n", FTP_NAME, tconf.uid, gid, tconf.comment, tconf.homedir);

        fptr = fopen(_PATH_MASTERPASSWD,"a");
        if (! fptr) {

=============================================================================
FreeBSD, Inc.

Web Site:                       http://www.freebsd.org/
Confidential contacts:          security-officer () freebsd org
PGP Key:                        ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications:         security-notifications () freebsd org
Security public discussion:     security () freebsd org

Notice: Any patches in this document may not apply cleanly due to
        modifications caused by digital signature or mailer software.
        Please reference the URL listed at the top of this document
        for original copies of all patches if necessary.
=============================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM0kvaFUuHi5z0oilAQHzVgP/TwmyRgBAF1Hs/jSihpAzFTRfHXdX/8+r
7mO7OHtM8vBTX1SPaYOr+DdSI2PkcSU4Y8O2OsdR3O4asV52LT5d/qWqJVQbN8bM
majL9ufeH3WotZHEJAo6nHf0/Cw+Aml2MytnaBiOHhvtiiY9aAEiYQve5TEwVbhE
92/GUaLo3uY=
=VjRL
-----END PGP SIGNATURE-----

Current thread:

Linux - buffer overflow in filter, (continued)
- Linux - buffer overflow in filter Mikhail Iakovlev (Apr 06)
- Re: Password problem in Trumpet Winsock. John Sheehy (Apr 06)
- Re: Password problem in Trumpet Winsock. Michael Douglass (Apr 07)
- Netware + Win95 issue Lauri Laupmaa (Apr 07)
  - Re: Netware + Win95 issue Paul Melson (Apr 08)
- Another one javascript exploit attempt? Andrew V. Kovalev (Apr 07)
- DUMP of NT system crash Vytautas Vysniauskas (Apr 07)
- Re: Password problem in Trumpet Winsock. Paul Melson (Apr 07)
- BoS: /etc/default/login LOCKOUT= creates arbitrary files (fwd) Illuminati Primus (Apr 07)
  - Re: BoS: /etc/default/login LOCKOUT= creates arbitrary files (f Eugene Bradley (Apr 08)
- FreeBSD Security Advisory: FreeBSD-SA-97:03.sysinstall Aleph One (Apr 07)
- CERT Advisory CA-97.09 - Vulnerability in IMAP and POP Aleph One (Apr 07)
- [linux-security] amd 920824upl102 ignores the nodev option Aleph One (Apr 08)